diff --git a/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.log b/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.log
new file mode 100644
index 00000000..6b3b3f3d
--- /dev/null
+++ b/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9311e1e79cbbfdd2ff8c626c581832663263fe1c5cd2db2fb86a66be95749a03
+size 78230
diff --git a/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.yml b/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.yml
new file mode 100644
index 00000000..4803af39
--- /dev/null
+++ b/datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.yml
@@ -0,0 +1,14 @@
+author: Raven Tait, Splunk
+id: 46ce8b02-ddf8-4c7a-a25f-688eef5a945d
+date: '2026-05-01'
+description: Generated datasets for Copy Fail privilege escalation
+    in attack range.
+environment: attack_range
+directory: linux_auditd
+mitre_technique:
+- T1068
+datasets:
+-   name: linux_auditd
+    sourcetype: auditd
+    source: auditd
+    path: /datasets/attack_techniques/T1068/linux_auditd_copy_fail/linux_auditd.log
\ No newline at end of file